As prescribed in [15-03B], in paragraph 2, titled Request for Proposals, Quotations, or Invitation for Bids, the contracting officer shall insert the following provision:
REVIEW OF THE OFFEROR’S INFORMATION TECHNOLOGY SYSTEMS SUPPLY CHAIN
(APR 2016[SEP 2018]) (DEVIATION)
(a) Definitions, as used in this provision.
“Acquire” means to procure with appropriated funds by and for the use of NASA through purchase or lease.
“Information Technology (IT) System” [is defined as any equipment or system that is used in the acquisition, storage, retrieval, manipulation and/or transmission of data or information. This includes computers, ancillary and peripheral equipment, software and firmware.]
means the combination of hardware components, software, and other equipment to make a system whose core purpose is to accomplish a data processing need such as the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission or reception of data. IT systems include ground systems in support of flight hardware. IT systems do not include— • Systems acquired by a contractor incidental to a contract and not directly charged to the contract, such as a contractor's payroll and personnel management system; • Systems that do not process NASA information, i.e., any data which is collected, generated, maintained, or controlled on behalf of the Agency. • Imbedded IT that is used as an integral part of the product, but the principal function of which is not the acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. For example, HVAC (heating, ventilation, and air conditioning) equipment such as thermostats or temperature control devices, and medical equipment where IT is integral to its operation are not considered IT systems; • Services in support of IT systems, such as help desk services; or Flight hardware, which includes aircraft, spacecraft, artificial satellites, launch vehicles, balloon systems, sounding rockets, on-board instrument and technology demonstration systems, and equipment operated on the International Space Station; as well as prototypes, and engineering or brass boards created and used to test, troubleshoot, and refine air- and spacecraft hardware, software and procedures.
(b) NASA’s OCIO will review the supply chain risk of cyber-espionage or sabotage before the Agency acquires any high-impact or moderate-impact IT system. NASA’s OCIO will use the security categorization in the National Institute of Standards and Technology’s (NIST) Federal Information Processing Standard Publication 199, ‘‘Standards for Security Categorization of Federal Information and Information Systems’’ to determine whether an IT system is highimpact or moderate-impact.
(c) The apparent successful offeror shall provide the following information for all IT systems offered:
(1) A brief description of the item(s).
(2) Vendor/manufacturer’s company name and address.
(3) If known, manufacturer’s web site, and the Commercial and Government Entity (CAGE) code.
(d) The Contracting Officer (CO) will provide the information referenced in paragraph (c) of this section to the NASA OCIO. NASA shall reject any IT system that the OCIO deems to be a high-impact or moderate-impact, unless it is determined that the acquisition is in the national interest of the United States. NASA’s OCIO reserves the right to make this decision, without any detailed explanation to the Offeror. The CO will advise the Offeror if any of its proposed IT systems are not approved and may provide the Offeror an opportunity to revise its proposal accordingly.
(End of provision)